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What is claimed is: 

1 . A directory server comprising: 

at least one role, said role defined as an entry grouping mechanism, wherein a role 
5 is uniquely defined by distinguishing name (DN) of its defining entry. 

2. The directory server as in claim 1, wherein the defining entry is nsRole, which 
comprises one or more distinguishing names. 

10 3. A method of grouping a plurality of entries in a directory server, the method 
comprising the step of: 

assigning at least one role to a first entry, said at least one role being an entry 
grouping mechanism defined by distinguishing name of its defining entry. 

15 4. The method as in claim 3, wherein the defining entry is nsRole, which comprises 
one or more distinguishing names. 

5. A method for searching an entry in a directory server, the directory server storing 
a plurality of entries, at least one of the plurality of entries possessing at least one role, 

20 said role being an entry grouping mechanism defined by distinguishing name of its 
defining entry, the method comprising the steps of: 

receiving a request to enumerate role membership for a particular role; 
comparing a plurality of entries stored in the directory server by checking a 
predetermined role attribute for the particular role; and 
25 returning the result of the comparison. 

6. The method of claim 5, further comprising the step of: 

assigning at least one role to a first entry in the directory server, said at least one 
role being an entry grouping mechanism defined by distinguishing name of its defining 



-68- 



P5829 



entry. 



7. A data processing system for searching for checking entries in a directory server 
for role membership, the system comprising: 
5 a CPU; 

a memory coupled to the CPU, the memory storing a directory comprising a 
plurality of entries, each said entry being associated with a role containing a predefined 
role attribute; 

wherein the memory stores a search program which is executable by the CPU to 
10 check role membership by searching the predefined role attribute; and 
O to return the result of the search if any entries possess the role. 

W 8. hi a dkectory system comprising a client computer configured to execute 

%4 applications to perform membership verification in a directory communicatively coupled 



M 15 to a server computer, the directory server storing a plurality of entries, a method of 
reducing client-side complexity in searching for a particular entry, the method comprising 
the steps of: 

configuring the server computer to assign at least one role to a subset of the 
plurality of entries, said at least one role being an entry grouping mechanism defined by 
20 distinguishing name of its defining entry, 

9, A computer program product comprising a computer readable medium having 
computer readable code embodied therein for processing data in a directory server by: 

receiving a request for enumerating role membership for a particular role; 
comparing a plurality of entries stored in the directory server by checking a 
25 predetermined role attribute; and 

returning the result of the comparison. 

10. The method of claim 9, further comprising the step of: 
providing a set of expressions and boolean operations for use in a directory 
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search. 



11. The method of claim 10, wherein the expressions comprise any one or more of 
operands connected by the operators, 



equal 
contains 

10 sounds like 

greater or equal 
less or equal 
negation 
and 

15 or 



>= 
<= 



= where an instance of the attribute exactly 
matches the value; 

* which is used as a wild card to allow presence check 

or partial matches; 

which is used in name searches; 

which is used for numerical comparisons; 

which is used for numerical comparisons; 

which is used to negate any expression; 

& which is used to combine two expressions; and 

I which is used to select from two expressions. 



12. A method for use in connection with application and network services to provide 
a directory service that defines roles for directory members, the method comprising the 
steps of: 

20 defining a directory search specification for a role based on user attribute 

information, where said role can be possessed by any set of members and in which roles 
possessed by users are defined by the directory search specification; 

evaluating said directory search specification at service delivery time; 
determining whether information maintained in a directory matches said directory 
25 search specification; and 

delivering said service. 

13. The method of claim 12, further comprising the step of: 

providing a set of expressions and boolean operations for use in a directory 
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search. 



14. The method of claim 13, wherein the expressions comprise any one or more of 
operands connected by the operators, 



equal 
contains 

10 sounds like 

greater or equal 
less or equal 
negation 
and 

15 or 



>- 
<= 
1 



= where an instance of the attribute exactly 
matches the value; 

* which is used as a wild card to allow presence check 

or partial matches; 

which is used in name searches; 

which is used for numerical comparisons; 

which is used for numerical comparisons; 

which is used to negate any expression; 

& which is used to combine two expressions; and 

I which is used to select from two expressions. 



15. A method of configuring a directory server comprising a plurality of entries, the 
method comprising the steps of: 

defining a computed attribute for an entry; 
20 assigning a value to the computed attribute, whereby said entry is capable of being 

grouped with other entries that have the same or a similar value for the computed 
attribute; and 

configuring the directory server software to perform search operations, thereby 
reducing complexity in a client program that accesses the directory server, 

25 

16. The method of claim 15, further comprising the step of: 

providing a set of expressions and boolean operations for use in a directory 

search. 
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17. The method of claim 16, wherein the expressions comprise any one or more of 
operands connected by the operators. 



equal 



where an instance of the attribute exactly 



matches the value; 



contains 



* which is used as a wild card to allow presence check 
or partial matches; 



sounds like 



which is used in name searches; 



greater or equal 
10 less or equal 
negation 



or 



and 



>= 



<= 



which is used for numerical comparisons; 

which is used for numerical comparisons; 

which is used to negate any expression; 

& which is used to combine two expressions; and 

I which is used to select from two expressions. 



15 18. A method of computing which roles an entry possesses, said method comprising 
the steps of: 

validating that the entry meets the criteria to possess a role; and 
determining that the entry falls within the scope of the role. 

20 19. A method of determining all roles possessed by an entry in a directory system, the 
method comprising the steps of: 

examining a computed attribute associated with the entry for a list of values of the 
computed attribute, and 

enumerating each value, which is a distinguishing name (DN) representing a role 
25 possessed by that entry. 

20. The method as in claim 21, wherein the computed attribute is nsRole. 

21. A method of obviating the need to examine all groups in a directory system in 
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order to determine the roles possessed by an entry, the method comprising the steps of: 
configuring the directory system to contain roles; and 

returning a list of computed values of a computed attribute belonging to the entry, 
whereby all the roles possessed by the entry are obtained. 

5 

22. The method as in claim 21 , wherein the computed attribute is nsRole. 

23. In a directory system comprising a plurality of entries and a plurality of roles 
possessed by the plurality of entries, a method of enumerating the membership of a 

10 desired role, the method comprising the steps of: 

locating all roles that are in scope with an entry that possesses the desired role; 
iterating over the in-scope roles looking for the entries that possess the desired 

role; 

adding, to an attribute's value set, the distinguishing names (DNs) 
15 of those entries that possess the desired role. 
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